[id="proc-secret-rotation_{context}"] [[_proc-secret-rotation]] = Creating an OIDC Client Secret Rotation Policy [role="_abstract"] The following is an example of defining a secret rotation policy: .Procedure . Click *Realm Settings* in the menu. . Click *Client Policies* tab. ifeval::[{project_community}==true] . On the *Profiles* page, click *Create client profile*. endif::[] ifeval::[{project_product}==true] . On the *Profiles* page, click *Create*. endif::[] + .Create a profile image:{project_images}/create-oidc-client-profile.png[Create Client Profile] . Enter any name for *Name*. . Enter a description that helps you identify the purpose of the profile for *Description*. . Click *Save*. + This action creates the profile and enables you to configure executors. ifeval::[{project_community}==true] . Click *Add executor* to configure an executor for this profile. endif::[] ifeval::[{project_product}==true] . Click *Create* to configure an executor for this profile. endif::[] + .Create a profile executors image:{project_images}/create-oidc-client-secret-rotation-executor.png[Client Profile Executor] . Select _secret-rotation_ for *Executor Type*. . Enter the maximum duration time of each secret, in seconds, for *Secret Expiration*. . Enter the maximum duration time of each rotated secret, in seconds, for *Rotated Secret Expiration*. + WARNING: Remember that the *Rotated Secret Expiration* value must always be less than *Secret Expiration*. . Enter the amount of time, in seconds, after which any update action will update the client for *Remain Expiration Time*. ifeval::[{project_community}==true] . Click *Add*. endif::[] ifeval::[{project_product}==true] . Click *Save*. endif::[] + ==== In the example above: * Each secret is valid for one week. * The rotated secret expires after two days. * The window for updating dynamic clients starts one day before the secret expires. ==== + . Return to the *Client Policies* tab. . Click *Policies*. ifeval::[{project_community}==true] . Click *Create client policy*. endif::[] ifeval::[{project_product}==true] . Click *Create*. endif::[] + .Create the Client Secret Rotation Policy image:{project_images}/create-oidc-client-secret-rotation-policy.png[Client Rotation Policy] . Enter any name for *Name*. . Enter a description that helps you identify the purpose of the policy for *Description*. . Click *Save*. + This action creates the policy and enables you to associate policies with profiles. It also allows you to configure the conditions for policy execution. + ifeval::[{project_community}==true] . Under Conditions, click *Add condition*. endif::[] ifeval::[{project_product}==true] . Under Conditions, click *Create*. endif::[] + .Create the Client Secret Rotation Policy Condition image:{project_images}/create-oidc-client-secret-rotation-condition.png[Client Rotation Policy Condition] . To apply the behavior to all confidential clients select _client-access-type_ in the *Condition Type* field + [NOTE] ==== To apply to a specific group of clients, another approach would be to select the _client-roles_ type in the *Condition Type* field. In this way, you could create specific roles and assign a custom rotation configuration to each role. ==== + . Add _confidential_ to the field *Client Access Type*. ifeval::[{project_community}==true] . Click *Add*. . Back in the policy setting, under _Client Profiles_, click *Add client profile* and then select *Weekly Client Secret Rotation Profile* from the list and then click *Add*. endif::[] ifeval::[{project_product}==true] . Click *Save*. . Back in the policy setting, under _Client Profiles_, in the *Add client profile* selection menu, select the profile *Weekly Client Secret Rotation Profile* created earlier. endif::[] .Client Secret Rotation Policy image:{project_images}/oidc-client-secret-rotation-policy.png[Client Rotation Policy] [NOTE] ==== To apply the secret rotation behavior to an existing client, follow the following steps: .Using the Admin Console . Click *Clients* in the menu. . Click a client. . Click the *Credentials* tab. ifeval::[{project_community}==true] . Click *Re-generate* of the client secret. endif::[] ifeval::[{project_product}==true] . Click *_Re-generate secret_*. endif::[] ==== --- .Using client REST services it can be executed in two ways: * Through an update operation on a client * Through the regenerate client secret endpoint